The Mozilla Foundation fixed a flaw in its Firefox browser that allowed spoofing of the HTTPS secure communications icon, displayed as a padlock in the browser address window. Successful exploitation of the flaw could have allowed a rogue website to intercept browser communications.
The patch was part of the non-profit’s Monday update to Firefox 88 and its corporate Firefox ESR 78.10 browser and its Thunderbird 78.10 email client. In total, Firefox 88 addresses 13 browser bugs, six of which are rated high-severity.
Padlock Bug: False Sense of Security
Tracked as CVE-2021-23998, the secure-lock-icon bug effects both the consumer and corporate versions of Firefox browsers prior to the Monday releases. “Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page,” wrote Mozilla in its security advisory.
Credited for discovering the spoofed secure lock icon is independent researcher Jordi Chancel, who on December 10, 2020 tweeted “I discovered again a new SSL Spoofing Issue (and others variohttps://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23998us security issues last 2 months)”. The vulnerability has a severity rating of moderate, Mozilla reported.
The browser padlock icon, used by all major browsers, indicates a secure communication channel between the browser and the server hosting the website. It indicates the communication is encrypted using HTTPS and utilizes an SSL/TLS certificate.
Six High-Severity Bugs
Bug hunter Irvan Kurniawan is credited for unearthing two of the high-severity bugs and one moderate flaw fixed in Firefox Monday. One is (CVE-2021-23995) is a bug described as a “use-after-free in responsive design mode”.
“When Responsive Design Mode was enabled, it used references to objects that were previously freed. We presume that with enough effort this could have been exploited to run arbitrary code,” wrote Mozilla. Responsive design is a term used to describe how websites automatically adapt to different sized screens
Kurniawan is also credited for finding a use-after-free bug (CVE-2021-23997) that can be triggered by the releasing of a web-based font from the browser’s cache. This bug, like Kurniawan’s previous vulnerability, could be uses by an adversary to target a specific browser and execute remote code.
“Due to unexpected data type conversions, a use-after-free could have occurred when interacting with the font cache. We presume that with enough effort this could have been exploited to run arbitrary code,” Mozilla wrote.
The Mozilla security bulletin is light on the technical specifics of the bug and does not indicate if any of the 13 flaws outlined in its advisory are being exploited in the wild. The relatively mild collection of Firefox fixes stand in contrast to Google and its Chrome browser, which last week rushed patches addressing a zero-day remote code execution (RCE) vulnerability.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.